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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to 
the Inspector General Act of 1978. This is one of a series of audit, inspection, and special 
reports prepared as part of our oversight responsibilities to promote economy, efficiency, 
and effectiveness within the department. 

This report presents the information technology (IT) management letter for the United 
States Coast Guard component of the FY 2010 DHS financial statement audit as of 
September 30, 2010. It contains observations and recommendations related to information 
technology internal control that were summarized in the Independent Auditors ' Report, 
dated November 12, 2010 and presents the separate restricted distribution report mentioned 
in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit 
procedures at the Coast Guard component in support of the DHS FY 2010 financial 
statements and prepared this IT management letter. KPMG is responsible for the attached 
IT management letter dated March 22, 201 1 and the conclusions expressed in it. We do not 
express opinions on DHS' financial statements or internal control or conclusion on 
compliance with laws and regulations. 

The recommendations herein have been developed to the best knowledge available to our 
office, and have been discussed in draft with those responsible for implementation. We 
trust that this report will result in more effective, efficient, and economical operations. We 
express our appreciation to all of those who contributed to the preparation of this report. 




"Frank Defter 
Assistant Inspector General 
Office of Information Technology Audits 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036-3389 



Inspector General 

U.S. Department of Homeland Security 

Chief Information Officer 
U.S. Coast Guard 
Chief Financial Officer 
U.S. Coast Guard 

Ladies and Gentlemen: 

We were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or 
Department), as of September 30, 2010 and the related statement of custodial activity for the year 
then ended (herein after referred to as "financial statements")- We were also engaged to examine 
the Department's internal control over financial reporting of the balance sheet as of September 30, 
2010 and the statement of custodial activity for the year then ended. We were not engaged to audit 
the statements of net cost, changes in net position, and budgetary resources as of September 30, 
2010 (hereinafter referred to as "other fiscal year (FY) 2010 financial statements"), or to examine 
internal control over financial reporting over the other FY 2010 financial statements. 

Because of matters discussed in our Independent Auditors' Report, dated November 12, 2010, the 
scope of our work was not sufficient to enable us to express, and we did not express, an opinion on 
the financial statements or on the effectiveness of DHS' internal control over financial reporting of 
the balance sheet as of September 30, 2010, and related statement of custodial activity for the year 
then ended. Additional deficiencies in internal control over financial reporting, potentially 
including additional material weaknesses and significant deficiencies, may have been identified and 
reported had we been able to perform all procedures necessary to express an opinion on the 
financial statements or on the effectiveness of DHS' internal control over financial reporting of the 
balance sheet as of September 30, 2010, and related statement of custodial activity for the year then 
ended; and had we been engaged to audit the other FY 2010 financial statements, and to examine 
internal control over financial reporting over the other FY 2010 financial statements. 

A control deficiency exists when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, to prevent, or detect and 
correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination 
of deficiencies, in internal control that is less severe than a material weakness, yet important enough 
to merit attention by those charged with governance. A material weakness is a deficiency, or a 
combination of deficiencies, in internal control, such that there is a reasonable possibility that a 
material misstatement of the entity's financial statements will not be prevented, or detected and 
corrected on a timely basis. 

The United States Coast Guard (Coast Guard or USCG) is a component of DHS. During our audit 
engagement, we noted certain matters in the areas of information technology (IT) configuration 
management, security management, access controls, and segregation of duties with respect to Coast 
Guard's financial systems information technology (IT) general controls, which we believe 
contribute to an IT material weakness at the DHS level. These matters are described in the IT 
General Control and Financial System Functionality Findings and Recommendations by Audit Area 
section of this letter. 




KPMG LLP is a Delaware limited liability partnership, 
the U.S. member firm of KPMG International Cooperative 
("KPMG International"), a Swiss entity. 



The material weakness described above is presented in our Independent Auditors ' Report, dated 
November 12, 2010. This letter represents the separate limited distribution letter mentioned in that 
report. 

The control deficiencies described herein have been discussed with the appropriate members of 
management, and communicated through a Notice of Finding and Recommendation (NFR). 

Because of its inherent limitations, internal control over financial reporting may not prevent, or 
detect and correct misstatements. Also, projections of any evaluation of effectiveness to future 
periods are subject to the risk that controls may become inadequate because of changes in 
conditions, or that the degree of compliance with the policies or procedures may deteriorate. We 
aim to use our knowledge of Coast Guard gained during our audit engagement to make comments 
and suggestions that are intended to improve internal control over financial reporting or result in 
other operating efficiencies. We have not considered internal control since the date of our 
Independent Auditors ' Report. 

The Table of Contents on the next page identifies each section of the letter. We have provided a 
description of key Coast Guard financial systems and IT infrastructure within the scope of our 
engagement to audit the FY 2010 DHS financial statements in Appendix A; a listing of the FY 2010 
IT Notices of Findings and Recommendations at Coast Guard in Appendix B; and the status of the 
prior year NFRs and a comparison to current year NFRs in Appendix C; and Coast Guard 
management's written response in Appendix D. Our comments related to certain additional matters 
have been presented in a separate letter to the Office of Inspector General and the Coast Guard 
Chief Financial Officer. 

Coast Guard's written response to our comments and recommendations, presented in Appendix D, 
has not been subjected to auditing procedures and, accordingly, we express no opinion on it. 

This communication is intended solely for the information and use of DHS and Coast Guard 
management, DHS Office of Inspector General, U.S. Office of Management and Budget, U.S. 
Government Accountability Office, and the U.S. Congress, and is not intended to be and should not 
be used by anyone other than these specified parties. 

Very truly yours, 



Department of Homeland Security 
United States Coast Guard 

Information Technology Management Letter 
September 30, 2010 
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OBJECTIVE, SCOPE, AND APPROACH 

We were engaged to audit DHS' balance sheet as of September 30, 2010 and the related statement of 
custodial activity for the year then ended, we performed an evaluation of information technology 
general controls (ITGC) at Coast Guard, to assist in planning and performing our audit. 

The Federal Information System Controls Audit Manual (FISCAM), issued by the Government 
Accountability Office (GAO), formed the basis of our ITGC evaluation procedures. The scope of the 
ITGC evaluation is further described in Appendix A. FISCAM was designed to inform financial 
auditors about IT controls and related audit concerns to assist them in planning their audit work and to 
integrate the work of auditors with other aspects of the financial audit. FISCAM also provides 
guidance to IT auditors when considering the scope and extent of review that generally should be 
performed when evaluating general controls and the IT environment of a federal agency. FISCAM 
defines the following five control functions to be essential to the effective operation of the ITGC 
environment. 

• Security Management (SM) - Controls that provide a framework and continuing cycle of activity 
for managing risk, developing security policies, assigning responsibilities, and monitoring the 
adequacy of computer-related security controls. 

• Access control (AC) - Controls that limit and/or monitor access to computer resources (data, 
programs, equipment, and facilities) to protect against unauthorized modification, loss, and 
disclosure. 

• Configuration Management ( CM) - Controls that help to prevent the implementation of 
unauthorized programs or modifications to existing programs. 

• Segregation of duties (SD) - Controls that constitute policies, procedures, and an organizational 
structure to prevent one individual from controlling key aspects of computer-related operations, 
thus deterring unauthorized actions or access to assets or records. 

• Contingency Planning (CP) - Controls that involve procedures for continuing critical operations 
without interruption, or with prompt resumption, when unexpected events occur. 

To complement our ITGC audit procedures, we also performed technical security testing for key 
network and system devices. The technical security testing was performed within a select Coast 
Guard facility, and focused on test, development, and production devices that directly support Coast 
Guard's financial processing and key general support systems. Limited social engineering and after- 
hours physical security testing was also included in the scope of technical security testing. 

Application controls were not tested for the year ending September 30, 2010 due to the nature of 
prior-year audit findings. 
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SUMMARY OF FINDINGS AND RECOMMENDATIONS 

During fiscal year (FY) 2010, Coast Guard took corrective action to address nearly half of the prior 
year IT control weaknesses. For example, Coast Guard made improvements by strengthening its 
system security settings over some of its systems at the USCG Finance Center, strengthening account 
management and configuration management controls over the Workflow Imaging Network System 
(WINS), and improved the data center controls at the USCG Finance Center (FINCEN). However, 
during FY 2010, we continued to identify IT general control weaknesses at Coast Guard. The most 
significant weaknesses from a financial statement audit perspective are related to the controls over 
authorization, development, implementation, and tracking of IT scripts at FINCEN. These IT control 
deficiencies limited Coast Guard's ability to ensure that critical financial and operational data were 
maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these 
deficiencies negatively impacted the internal controls over Coast Guard financial reporting and its 
operation and we consider them to contribute to a material weakness at the Department level under 
standards established by the American Institute of Certified Public Accountants. In addition, based 
upon the results of our test work, we noted that the Coast Guard did not fully comply with the 
Department's requirements under the Federal Financial Management Improvement Act (FFMIA). 

In FY 2010, our IT audit work identified 28 IT findings, of which ten were repeat findings from the 
prior year and 18 were new findings. In addition, we determined that Coast Guard remediated eight 
IT findings identified in previous years. Specifically, the Coast Guard took actions to improve 
aspects of its user recertification process, data center physical security, and scanning for system 
vulnerabilities. The Coast Guard's remediation efforts have enabled us to expand our test work into 
areas that previously were not practical to test, considering management's acknowledgment of the 
existence of control deficiencies. Most of the new findings relate to IT systems that were added to 
our examination scope this year. 

Collectively, these findings represent deficiencies in four of the five FISCAM key control areas. The 
FISCAM areas impacted included Security Management, Access Control, Segregation of Duties, and 
Configuration Management. We also considered the effects of financial systems functionality when 
testing internal controls since key Coast Guard financial systems are not compliant with FFMIA and 
are no longer supported by the original software provider. Financial system functionality limitations 
add to the challenge of addressing systemic internal control weaknesses and strengthening the control 
environment at the Coast Guard. 

The majority of the findings indicate a lack of properly designed, detailed, and consistent guidance 
over financial system controls to enforce DHS Sensitive System Policy Directive 4300A requirements 
and National Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem 
from 1) poorly, but improving, designed and operating IT script change control policies and 
procedures, 2) unverified access controls through the lack of user access privilege re-certifications, 3) 
entity-wide security program issues involving civilian and contractor background investigation 
weaknesses, 4) inadequately designed and operating audit log review policies and procedures, 5) 
physical security and security awareness, and 6) role -based training for individuals with elevated 
responsibilities. 
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These deficiencies may increase the risk that the confidentiality, integrity, and availability of system 
controls and Coast Guard financial data could be exploited thereby compromising the integrity of 
financial data used by management and reported in DHS' consolidated financial statements. 

While the recommendations made by us should be considered by Coast Guard, it is the ultimate 
responsibility of Coast Guard management to determine the most appropriate method(s) for 
addressing the weaknesses identified based on their system capabilities and available resources. 
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IT GENERAL CONTROLS AND FINANCIAL SYSTEM 
FUNCTIONALITY FINDINGS 

Findings and Recommendations: 

Conditions: During the FY 2010 DHS Financial Statement Audit, Coast Guard segment, we 
identified the following IT and financial system control deficiencies that in the aggregate significantly 
contribute to the material weakness at the department level. Our findings are divided into two 
groupings: 1) financial systems controls and 2) IT system functionality. 

Related to IT Financial Systems Controls 

Configuration Management 

We noted that Coast Guard's core financial system configuration management process controls are 
not operating effectively, and continue to present risks to DHS financial data confidentiality, 
integrity, and availability. Financial data in the general ledger may be compromised by automated 
and manual changes that are not adequately controlled. For example, the Coast Guard uses an IT 
scripting process to make updates to its core general ledger software as necessary to process financial 
data. During our FY 2010 testing, we noted that some previously identified control deficiencies were 
remediated (particularly with the implementation of a new script change management tool in the 
second half of FY 2010), while other deficiencies continued to exist. The remaining control 
deficiencies vary in significance. However, three key areas that impact the Coast Guard IT script 
control environment are: 

• Script testing requirements - Limited testing requirements exist to guide FINCEN staff in the 
development of test plans and guidance over the functional testing that should be performed; 

• Script testing environment - Not all script changes were tested in the appropriate test 
environments, as required; and 

• Script audit logging process - The Coast Guard's core system databases are logging changes to 
tables as well as successful and unsuccessful logins. However, no reconciliation between the 
scripts run and the changes made to the database tables is being performed to monitor the script 
activities and ensure that all scripts run have been approved. 

In addition, we noted weaknesses in the script change management process as it relates to the Internal 
Control over Financial Reporting (ICOFR) process (e.g., the financial statement impact of the 
changes to FINCEN core accounting system through the script change management process). The 
Coast Guard has not fully developed and implemented procedures to ensure that a script, planned to 
be run in production, has been through an appropriate level of review by a group of individuals 
thoroughly assessing if the script would have a financial statement impact. Furthermore, the rationale 
documenting the impact of the script, whether deemed as having financial impact or not, is not 
documented and retained for internal assessment or audit purposes. Internal controls that ensure the 
reliability of the scripting process must be effective throughout the year, but most importantly during 
the year-end close-out and financial reporting process. 
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Access Controls 

• Procedures surrounding the use of monitoring reports over contracted personnel data have not 
been formally documented. 

• Procedures over the process of finalizing and implementing entity-wide processes for account 
terminations and related notifications are still in draft and have not been implemented or 
communicated. 

• Audit log reviews for key financial systems are not being conducted on all key information, and 
are not being retained for self-assessment and audit purposes. 

• New user access forms are not retained for self-assessment and audit purposes. In addition, 
evidence of supervisory approval of new users was also not available for review. 

• Access review procedures for key financial applications do not include the review of all user 
accounts to ensure that all terminated individuals no longer have active accounts, that inactive 
accounts are locked, and that privileges associated with each individual are still authorized and 
necessary. 

• Account re-certifications are not being retained for self-assessment and audit purposes. 
Segregation of Duties 

• Audit log reviews are being performed by the system administrator, who is not considered an 
independent party as required by DHS MD 4300A. 

Security Management 

• Background investigations for all civilian employees have not been completed and Coast Guard's 
civilian position sensitivity designation process is not in compliance with DHS guidance. 

• Coast Guard procedures do not include specific guidance for the program managers on how to set 
the correct and consistent risk levels and position sensitivity designations for contract employees. 

• Policies and procedures for key control areas are not adequately detailed to provide clear and 
complete control descriptions. 

• There is a lack of a consistent contractor, civilian and military account termination notification 
process for Coast Guard systems . 

• During our after-hours physical security and social engineering testing, we identified exceptions 
in the protection of sensitive user account information. The table on page 6 details the exceptions 
identified at the various locations tested. 



After-Hours Physical Security Testing 

We performed after-hours physical security testing to identify risks related to non-technical aspects of 
IT security. These non-technical IT security aspects include physical access to media and equipment 
that houses financial data and information residing on a Coast Guard employee's/contractor's desk, 
which could be used by others to gain unauthorized access to systems housing financial information. 
The testing was performed at various Coast Guard locations that process and/or maintain financial 
data. The table on the following page provides a summary of our testing results. 
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Security Weaknesses Observed During After Hours Physical Security Testing 




Coast Guard Locations Tested 






Coast Guard 


Coast Guard 


Coast Guard 


Coast Guard 






Headquarters 


HQ- 


Finance 


Finance 


Total 




(HQ) - Jemal 


Transpoint 


Center - 


Center - 


Exceptions 


Exceptions Noted 


(CG-6) 


(CG-84) 


Main 


Annex 


by Type 


Passwords 


3 


4 


2 





9 


For Official Use Only (FOUO) 


11 








2 


13 


Documents 












Keys/Badges 





1 








1 


Personally Identifiable 





1 


3 





4 


Information (PII) 












Server Names/IP Addresses 











3 


3 


Unsecured Laptops 


1 


2 








3 


Unsecured External Drives 


4 


10 





2 


16 


Terminal root command left 











1 


1 


unattended 












Directory structure map 











1 


1 


unsecured 












Common Access Cards (CAC) 





1 


1 





2 


Secure ID Token PIN 


2 











2 


Active computer left unattended 











1 


1 


Total Exceptions by Location 


21 


19 


6 


10 


56 


Source: Coast Guard management, OIG, and KPMG direct observation and inspection of work areas. 




Note: Approximately 20-25 desks/offices were examined for each one of the columns in the above table. 





Social Engineering Testing 

Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking 
action that is inconsistent with DHS policies, such as divulging sensitive information or 
allowing/enabling computer system access. The term typically applies to deception for the purpose of 
information gathering, or gaining computer system access, as shown in the following table. 



Location 


Total Called 


Total Answered 


Number of people who provided a password 


Coast Guard HQ 


45 


11 


1 


Coast Guard FINCEN 


50 


23 


7 



Recommendations: We recommend that the Coast Guard Chief Information Officer (CIO) and Chief 
Financial Officer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office 
of the Chief Information Officer, make the following improvements to Coast Guard's financial 
management systems and associated information technology security program. 

Configuration Management: 

We recommend that the Coast Guard CIO update the scripting policies and procedures to include 
additional and more detailed test documentation, develop training that addresses all aspects of script 
testing (including documentation of test documents) and provide training to appropriate CM staff, 
develop a resource plan (RP) with associated supporting business case(s) to address the database audit 
logging requirements, develop procedures and perform regular account revalidations for the Serena 
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application to ensure privileges remain appropriate, and conduct an assessment over the ICOFR 
process related to identifying and evaluating scripts that have a financial statement impact. 

Access Controls: 

• Update account management procedures to effectively track and retain user access 
documentation; 

• Update account management procedures to provide clear guidance regarding the use of user 
access forms and update the access form to include an approval signature line; 

• Configure Coast Guard applications to enforce the strong password and password history 
requirements described in the DHS MD 4300A Policy Directive and update all impacted system 
documentation accordingly; 

• Update standard operating procedures to address the audit log review and retention procedures; 

• Update audit log review procedures within specific procedures to include more detail in recording 
the results of the review of the audit logs; 

• Continue with ongoing efforts for identifying, designing, and implementing automated tools to 
assist in audit log collection, storage, analysis, and reporting which will further improve 
consistency, timeliness, and accuracy of the reviews when compared with labor and time 
intensive manual processes; 

• Develop and document an enterprise-wide process that will notify all impacted system owners of 
terminated, transferred, or retired contractor, military, and civilian personnel; 

• Continue to update procedures to require an annual review of 1 00% of user accounts for the key 
financial systems and their associated privileges that are greater than read-only to ensure access is 
still required; 

• Develop a RP with associated supporting business case(s) to address the installation of Service 
Pack 3 on all applicable workstations and/or upgrade the operating systems of these workstations 
to the Coast Guard's Standard Image; and 

• Develop a RP with associated supporting business case(s) to address the server operating system 
upgrades to include a technical analysis to ensure server upgrades do not adversely affect system 
operation. 

Segregation of Duties: 

• Implement separation of duties for Coast Guard System audit log reviews. 
Security Management: 

• Update the policies and procedures currently in place to include clear guidance for Program 
Managers and Contracting Officers to assign contractor risk level(s) and position sensitivity 
designation requirements in order to verify that all contracts issued by the Coast Guard include 
the appropriate investigation level requirements; 

• Perform initial background investigations and re-investigations for civilian employees in 
accordance with DHS directives; 
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• Update the annual Information Assurance (IA) training to include more robust office "physical 
security" and "clean desk" guidance and instruction and explicitly test individuals during the 
training on these topic areas; 

• Implement enterprise-wide and site-specific processes for verifying the effectiveness of this 
training via mechanisms such as scheduled and ad hoc desk checks, training follow-ups, and other 
management controls; 

• Develop, document, communicate, train, test, and continuously maintain policies and procedures 
for the cited IT control and process areas; 

• Continue to implement Commandant Instruction Information Assurance Professional 
Certification; and 

• Improve and utilize its manual tracking process until such time that the Direct Access 
implementation is in place. 

Related to Financial System Functionality 

Conditions: We noted that certain financial system functionality limitations are contributing to 
control deficiencies, inhibiting progress on corrective actions for Coast Guard, and preventing the 
Coast Guard from improving the efficiency and reliability of its financial reporting processes. Some 
of the financial system limitations lead to extensive manual and redundant procedures to process 
transactions, to verify the accuracy of data, and to prepare financial statements. Systemic conditions 
related to financial system functionality include: 

• As noted above, Coast Guard's core financial system configuration management process is not 
operating effectively due to inadequate controls over IT scripts. The IT script process was 
instituted as a solution primarily to compensate for system functionality and data quality issues. 

• Financial system audit logs are not readily generated and reviewed, as some of the financial 
systems are lacking the capability to perform this task efficiently. 

• Production versions of operational financial systems are outdated and do not provide the 
necessary core functional capabilities (e.g., general ledger capabilities). Financial systems 
functionality limitations are preventing the Coast Guard from establishing automated processes 
and application controls that would improve accuracy and reliability, and facilitate efficient 
processing of certain financial data such as: 

Ensuring proper segregation of duties and access rights such as automating the procurement 
process to ensure that only individuals who have proper contract authority can approve 
transactions or setting system access rights within the fixed asset subsidiary ledger; 

Maintaining sufficient data to support Fund Balance with Treasury related transactions, 
including suspense activity; 

Maintaining adequate posting logic transaction codes to ensure that transactions are recorded 
in accordance with Generally Accepted Accounting Principles; and 

Tracking detail transactions associated with intragovernmental business and eliminating the 
need for default codes such as Trading Partner Identification Number that cannot be easily 
researched. 
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Recommendations: We recommend that the Coast Guard's Chief Information Officer and Chief 
Financial Officer update the scripting policies and procedures to include additional and more detailed 
test documentation, develop training that addresses all aspects of script testing (including 
documentation of test documents) and provide training to appropriate CM staff, develop a RP with 
associated supporting business case(s) to address the database audit logging requirements, develop 
procedures and perform regular account revalidations for Serena to ensure privileges remain 
appropriate, and conduct an assessment over the ICOFR process related to identifying and evaluating 
scripts that have a financial statement impact. 

APPLICATION CONTROLS 

Application controls were not tested for the year ending September 30, 2010, due to the nature of the 
prior-year audit findings. 



MANAGEMENT'S COMMENTS AND OIG RESPONSE 



We obtained written comments on a draft of this report from Coast Guard's Chief Information Officer 
and Chief Financial Officer. Generally, Coast Guard agreed with all of our findings and 
recommendations. Coast Guard has developed a remediation plan to address these findings and 
recommendations. We have included a copy of the comments in Appendix D. 

OIG Response 

We agree with the steps that USCG's management is taking to satisfy these recommendations. 
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Appendix A 

Description of Key Coast Guard Financial Systems and IT Infrastructure within the Scope of the FY 2010 

DHS Financial Statement Audit 
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Below is a description of significant Coast Guard financial management systems and supporting IT 
infrastructure included in the scope of the DHS Financial Statement Audit - Coast Guard Component. 

Locations of Audit: Coast Guard HQ in Washington, DC; the Coast Guard FINCEN in Chesapeake, 
Virginia (VA); the Operations Supply Center (OSC) in Martinsburg, West Virginia; Aviation Logistics 
Center (ALC) in Elizabeth City, North Carolina; and the Pay and Personnel Center (PPC) in Topeka, 
Kansas. 

Key Systems Subject to Audit: 
Core Accounting System (CAS) 

CAS is the core accounting system that records financial transactions and generates financial statements for 
the Coast Guard. CAS is hosted at the Coast Guard's FINCEN, in Chesapeake, VA. The FINCEN is the 
Coast Guard's primary data center. CAS is a customized version of Oracle Financials. CAS interfaces with 
two other systems located at the FINCEN, WINS and the Financial and Procurement Desktop (FPD). 

FPD 

The FPD application is used to create and post obligations to the core accounting system. It allows users to 
enter funding, create purchase requests, issue procurement documents, perform system administration 
responsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS 
system and is located at the FINCEN in Chesapeake, VA. 

WINS 

WINS is the document image processing system, which is integrated with an Oracle Developer/2000 
relational database. WINS allows electronic data and scanned paper documents to be imaged and processed 
for data verification, reconciliation and payment. WINS utilizes MarkView software to scan documents and 
to view the images of scanned documents and to render images of electronic data received. WINS is 
interconnected with the CAS and FPD systems and is located at the FINCEN in Chesapeake, VA. 

Joint Uniform Military Pay System (JUMPS) 

JUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at 
the PPC in Topeka, Kansas. 

Direct Access 

Direct Access is the system of record and all functionality, data entry, and processing of payroll events is 
conducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand 
(IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center 
in Sterling, VA. Coast Guard personnel that provide system support to Direct Access are located at Coast 
Guard HQ and PPC. 
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Global Pay (Direct Access II) 

Global Pay provides retiree and annuitant support services. Global Pay is maintained by IBM Application 
On Demand in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center 
in Sterling, VA. Coast Guard personnel that provide system support to Global Pay are located at Coast 
Guard HQ and PPC. 

Shore Asset Management (SAM) 

SAM is hosted at the Coast Guard's Operation System Center (OSC), in Martinsburg, WV. SAM provides 
core information about the Coast Guard shore facility assets and facility engineering. The application tracks 
activities and assist in the management of the Civil Engineering Program and the Facility Engineering 
Program. 

Naval and Electronics Supply Support System (NESSS) 

NESSS is one of four automated information systems that comprise the family of Coast Guard logistics 
systems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit 
configuration, supply and inventory control, procurement, depot-level maintenance and property 
accountability, and a full financial ledger. 

Aviation Logistics Management Information System (ALMIS) 

ALMIS provides Coast Guard Aviation logistics management support in the areas of operations, 
configuration management, maintenance, supply, procurement, financial, and business intelligence. 
Additionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft & 
Crew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management 
Information System (AMMIS), a subcomponent of ALMIS, functions as the inventory management/fiscal 
accounting component of the ALMIS application. The Aircraft Repair & Supply Center (ARSC) 
Information Systems Division (ISD) in Elizabeth City, North Carolina hosts the ALMIS application. 

CG Treasury Information Executive Repository ( CG Tier) 

CG TIER is a financial data warehouse containing summarized and consolidated financial data relating 
USCG operations. It is one of several supporting applications within CAS Suite designed to support the core 
financial services provided by FINCEN. CG TIER provides monthly submissions to DHS Consolidated 
TIER. 
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September 30, 2010 



Appendix B 

FY 2010 Notices of IT Findings and Recommendations at Coast Guard 
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Appendix B 

Department of Homeland Security 
United States Coast Guard 

Information Technology Management Letter 
September 30, 2010 

Notice of Findings and Recommendations - Definition of Severity Ratings: 

Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS 
Consolidated Independent Auditor's Report. 

1 - Not substantial 

2 - Less significant 

3 - More significant 

The severity ratings indicate the degree to which the deficiency influenced the determination of severity for 
consolidated reporting purposes. 

These rating are provided only to assist the Coast Guard in the development of its corrective action plans for 
remediation of the deficiency. 
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Department of Homeland Security 
FY 2010 Information Technology - Coast Guard 
Notices of Findings and Recommendations - Detail 
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Disposition 


NFR # 


Description 


ri„ t „,i 
l^lOScU 


Repeat 


CG-IT-09-10 


Contractor Background Investigation Weakness 




10-02 




Weaknesses with Specialized Role -based Training for Individuals 






CG-IT-09-14 


with Significant Security Responsibilities 




10-10 


CG-IT-09-23 


SAM Audit Log Review Weakness 




10-22 


CG-IT-09-25 


WINS Access Controls Need Strengthening 


X 






Weaknesses Exist in the Configuration Management Controls Over 






CG-IT-09-31 


the Scripting Process 




10-05 




Lack of Documented Contractor Tracking System Reconciliation 


X 




CG-IT-09-32 


Procedures 






Lack of a Consistent Contractor, Civilian, and Military Account 






CG-IT-09-33 


Termination Process for Coast Guard Systems 




10-01 


CG-IT-09-34 


WINS Change Control Weakness 


X 






Civilian Background Investigation Weakness 




1 n.rn 


CG-IT-09-42 


Non-C^omnlianoe with FFA/TTA — Information Teohnolo^v 

\ ' VlllLllldllVp' w Vt 1111 ± ± 1V1U1 1 1 1 1 W 1 1 1 111 1 1 W 1 1 X VU1111U1U11 V 




10-24 




Recertification Weakness within the User Management System 


X 




CG-IT-09-43 


(UMS) 






FINCEN data center access is not restricted to appropriately 


X 




CG-IT-09-45 


authorized personnel 




CG-IT-09-46 


Configuration and Patch Management - Vulnerability Assessment 


X 




CG-IT-09-49 


JUMPS Audit Log Review Weakness 


X 




CG-IT-09-50 


Audit Trail Weaknesses within the Direct Access Application 




10-28 


CG-IT-09-51 


Audit Trail Weaknesses within the Global Pay Application 


X 




CG-IT-09-52 


Recertification Weakness within the Direct Access Application 




10-12 




Security Awareness Issues Associated with the Protection of 






CG-IT-09-53 


Sensitive Information 




10-06 
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U.S. Department of 
Homeland Security 



United States 
Coast Guard 




MEMORANDUM 



hrorn; 



To: 



Subj: 



Commandant 2100 Second Street, S.W. Stop 7101 

United States Coss-t Gus rd S^JT^Si DC zoss3-7ioi 

Phons: (302) 47.5-3500 
Fax: (202) 475-393 D 
Email: Robert.E.Da.y@uscg.mil 

550O 

FEB 2 4 2011 

Reply to: CG-632 
Attn of: Bruce Krebs 

'.A. Taylor, RDML 
COMDT (CG-S) 

Mr. Frank Defter 
Assistant Inspector General 
Information Technology Audits 

RESPONSE TO INFORMATION TECHNOLOGY MANAGEMENT LETTER FOR 
THE U.S. COAST GUARD COMPONENT OF THE FISCAL YEAR 20 10 DHS 
INTEGRATED AUDIT 




Ref: (a) DHS OIG Memo dtd 1 4 Feb 20 1 1 



1. In response to reference (a), thank you for the DHS Office of the Inspector General's (OIG) 
thorough, independent review of the general Information Technology (IT) controls associated 
with .the USCG financial processing environment, IT infrastructure, and overall security 
program. This process, combined with other proactive activities, helps the USCG improve 
its Information Security (INFO SEC) posture. 

2. The OIG identified several conditions and findings that require corrective actions by the 
USCG. The USCG concurs with the basis for the conditions and findings that were 
documented in the FY10 IT Notice of Findings and Recommendations (NFRs) and 
summarized within the IT Management Letter. Specific details of those findings, and their 
potential impacts, will be discussed early in the FY1I audit during the prior year's review 
process. 

3. During the course of the audit, the USCG conducted a series of root cause analyses and 
determined the most appropriate method(s) for addressing Identified weaknesses based upon 
system capabilities and resources, The USCG continues to implement and execute corrective 
actions to address the underlying conditions and Findings to mitigate risk and improve 
security. These corrective actions (i.e., Plans of Action and Milestones (POA&Mr)) are 
developed, monitored, and reported via the DHS Trusted Agent FISMA (TAF) tool, FY 10 
IT NFR remediation is overseen by the USCG CIO's Office (CG-6), with the exception of IT 
NFR CG-IT-10-05 (scripts) which is led by the USCG CFO's Office (CG-S). 

4. With respect to the Material Weakness associated with IT NFR 10-05, the USCG has 
established a. team to address die root causes associated with Cuiiflgiirulkin Management 
Controls Over the Scripting Process. The NFR material weakness is based on the financial 



Information Technology Management Letter for the United States Coast Guard 
Component of the FY 2010 Financial Statement Audit 
Page 38 



Appendix D 



Department of Homeland Security 
United States Coast Guard 

Information Technology Management Letter 
September 30, 2010 



SUBJ: RESPONSE TO INFORMATION TECHNOLOGY MANAGEMENT 5500 

LETTER FOR THE U.S. COAST GUARD COMPONENT OF THE t , , m 

FISCAL YEAR 2010 DHS INTEGRATED AUDIT htb 1 4 m 



Impact of the scripts, related to Mental Controls Over Financial Reporting (ICOFR). In 
addition, there is still some remediation work underway with IT general controls with script 
testing requirements, environment, and the logging process. 

5. The USCG understands the need to continuously improve IT security operations and has 
demonstrated this comrnitment by proactively sesking ways to improve controls governing 
the script process. Be majority of the USCG system-oriented IT NFRs will be mitigated as 
they were identified during the audit or early within FY11. The USCG looks forward to 
working with the DHS OIG during the FY 10 audit* where we anticipate confirmation of our 
corrective action approach through measurable, tangible results. 

Copy: CG-63 
CG-65 
CG-84 
CG-85 
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Report Distribution 

Department of Homeland Security 

Secretary 

Deputy Secretary 

General Counsel 

Chief of Staff 

Deputy Chief of Staff 

Executive Secretariat 

Under Secretary, Management 

Commandant, USCG 

DHS Chief Information Officer 

DHS Chief Financial Officer 

Chief Financial Officer, USCG 

Chief Information Officer, USCG 

Chief Information Security Officer 

Assistant Secretary for Office of Policy 

Assistant Secretary for Office of Public Affairs 

Assistant Secretary for Office of Legislative Affairs 

DHS GAO OIG Audit Liaison 

Chief Information Officer, Audit Liaison 

USCG Audit Liaison 

Office of Management and Budget 

Chief, Homeland Security Branch 
DHS OIG Budget Examiner 

Congress 

Congressional Oversight and Appropriations Committees, as appropriate 
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ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



